SC-100 Exam QuestionsBrowse all questions from this exam
Go to Exam

SC-100 Exam - Question 163

Your on-premises network contains an Active Directory Domain Services (AD DS) domain named corp.contoso.com and an AD DS-integrated application named App1.

Your perimeter network contains a server named Server1that runs Windows Server.

You have a Microsoft Entra tenant named contoso.com that syncs with corp.contoso.com.

You plan to implement a security solution that will include the following configurations:

• Manage access to App1 by using Microsoft Entra Private Access.

• Deploy a Microsoft Entra application proxy connector to Server1.

• Implement single sign-on (SSO) for App1 by using Kerberos constrained delegation.

• For Server1, configure the following rules in Windows Defender Firewall with Advanced Security: o Rule1: Allow TCP 443 inbound from a designated set of Azure URLs, o Rule2: Allow TCP 443 outbound to a designated set of Azure URLs, o Rule3: Allow TCP 80 outbound to a designated set of Azure URLs, o Rule4: Allow TCP 389 outbound to the domain controllers on corp.contoso.com.

You need to maximize security for the planned implementation. The solution must minimize the impact on the connector.

Which rule should you remove?

Show Answer
Correct Answer:

Discussion

6 comments
Sign in to comment
Er_01Option: C
Feb 2, 2025

https://learn.microsoft.com/en-us/entra/global-secure-access/how-to-configure-connectors The question is unclear what “maximize security” means as the doc says you need both 80/443 out. If it means to allowing PKI to work, C is correct A is wrong because inbound is not referenced at all B can be correct as 443 out allows this to work using CA/GSA to work meeting goal. D is wrong because Kerberos needs 88 to the DC, in addition to 389. All told, a terrible question.

Lrrr_FromOmicronPersei8Option: A
Feb 1, 2025

Remove Rule1. Entra Application Proxy requires no inbound connectivity.

Ali96Option: C
Feb 21, 2025

Since Rule3 (TCP 80 outbound) is less secure compared to other rules, it should be removed to maximize security without significantly impacting the connector, assuming the connector can still operate without the need for HTTP (TCP 80) traffic

Lrrr_FromOmicronPersei8
Mar 1, 2025

TCP. 80 is needed for checking certificate CRLs in order to establish TLS.

424ede1
Mar 29, 2025

Wrong! Rule 3 uses these URLs to verify certificates. Check this out: https://learn.microsoft.com/en-us/entra/identity/app-proxy/application-proxy-configure-connectors-with-proxy-servers#proxy-outbound-rules

Lrrr_FromOmicronPersei8Option: A
Mar 1, 2025

Remove Rule1, Entra ID Application Proxy relies on outbound-only connectivity.

424ede1Option: A
Mar 29, 2025

In application proxy, ALL ACCESS IS OUTBOUND. The private network connectors only use outbound connections to the application proxy service in the cloud over ports 80 and 443. With no inbound connections, there's no need to open firewall ports for incoming connection. This strategy means that your backend servers are not exposed to direct HTTP traffic. They are better protected against targeted DoS because your firewall isn't under attack. https://learn.microsoft.com/en-us/entra/identity/app-proxy/overview-what-is-app-proxy#security-benefits

francescocOption: C
Apr 16, 2025

HTTP (TCP 80) is unencrypted and inherently less secure than HTTPS (TCP 443).